Several people from our company log in to a server and upload files. They all need to be able
to upload and overwrite the same files. They have different usernames, but are all part of the
same group. However, this is an internet server, so the "other" users should have (in general) just
read-only access. So what I want to have is these standard permissions:

files: 664
directories: 771

My goal is that all users do not need to worry about permissions. The server should be configured in such
a way that these permissions apply to all files and directories, newly created, copied, or over-written. Only
when we need some special permissions we'd manually change this.

We upload files to the server by SFTP-ing in Nautilus, by mounting the server using sshfs and accessing it in Nautilus
as if it were a local folder, and by SCP-ing in the command line. That basically covers our situation and what we aim
to do.

Now, I have read many things about the beautiful umask functionality. From what I understand umask (together with PAM) should allow me
to do exactly what I want: set standard permissions for new files and directories. However, after many many hours of reading and trial-and-error,
I still do not get this to work. I get many unexpected results. I really like to get a solid grasp of umask and have many question unanswered. I will post these questions below,
together with my findings and an explanation of my trials that led to these questions. Given that many things appear to go wrong, I think that
I am doing several things wrong. So therefore, there are many questions.

NOTE: I am using Ubuntu 9.10 and therefore can not change the sshd_config to set the umask for the SFTP server. Installed SSH OpenSSH_5.1p1 Debian-6ubuntu2 < required OpenSSH 5.4p1. So here go the questions.

1. DO I NEED TO RESTART FOR PAM CHANGS TO TAKE EFFECT?

Let's start with this. There were so many files involved and I was unable to figure out what does and what does not affect things, also because I did not
know whether or not I have to restart the whole system for PAM changes to take effect. I did do so after not seeing the expected results, but is this really
necessary? Or can I just log out from the server and log back in, and should new PAM policies be effective? Or is there some 'PAM' program to reload?

2. IS THERE ONE SINGLE FILE TO CHANGE THAT AFFECTS ALL USERS FOR ALL SESSIONS?

So I ended up changing MANY files, as I read MANY different things. I ended up setting the umask in the following files:

I mean... WHAT just happened here?! We should get 644 every single time. Instead I get 711, 777, 600, and then once 644. And the 644 is only achieved
when creating a new, blank file through SSH, which is the least probable scenario.

What?! The REAL file permissions are very different from what we see in Nautilus. So does this umask on sshfs just create a 'filter' that shows unreal
file permissions? And I tried to open a file from another user but the same group that had real 600 permissions but 644 'fake' permissions, and I could
still not read this, so what good is this filter??

5. UMASK IS ALL ABOUT FILES. BUT WHAT ABOUT DIRECTORIES?

From my tests I can see that the umask that is being applied also somehow influences the directory permissions. However, I want my files to be 664 (002)
and my directories to be 771 (006). So is it possible to have a different umask for directories?

6. PERHAPS UMASK/PAM IS REALLY COOL, BUT UBUNTU IS JUST BUGGY?

On the one hand, I have read topics of people that have had success with PAM/UMASK and Ubuntu. On the other hand,
I have found many older and newer bugs regarding umask/PAM/fuse on Ubuntu:

So I do not know what to believe anymore. Should I just give up? Would ACL solve all my problems?
Or do I have again problems using Ubuntu?

One word of caution with backups using
tar. Red Hat /Centos distributions
support acls in the tar program but
Ubuntu does not support acls when
backing up. This means that all acls
will be lost when you create a backup.

I am very willing to upgrade to Ubuntu 10.04 if that would solve my problems too, but first I want to understand what is happening.

4 Answers
4

any pam.d umask would get overridden by any entry in .bashrc,
but .bashrc only gets read under certain circumstances (interactive, non-login shell)

testfile (711) is very strange

how is /home mounted, and are you using ACLs?
(e.g. what do ls -ld /home and getfacl /home print?)

did testfile already exist before you did the copy,
because scp won't change the permissions on a file that already existed (unless you use the -p flag)

Nautilus is known to create files a different way, not sure why, or what the rules are

umask=0113 will probably cause problems

are the server and client running the same operating system?
for example, if the client has ACLs enabled, or is Cygwin, the behavior can be different

the best way to force sane permissions is to use default ACLs, exactly because,
as you discovered, umask can be overridden by the user in .bashrc and .bash_profile.

Update:

umask=0113 for sshfs is wrong.

Try mounting without specifying a umask

Create a new file inside the mount point using touch.

You should see it only gets e.g. -rw-r--r--, without x bits

By masking out x bits, you might break directories
and compilers may be unable to create executable files properly

Workaround:

If we can't think of anything better, you could either use fam or gamin to watch for new files being created and fix the permissions on them, or even just a script that runs periodically and sets the permissions on all files.

Thanks! OK, so I removed ALL umask settings except for pam.d/common-sessions. This resolved several issues! Test 1 (SCP) and Test 4 (New file in Nautilus) now work well. Hurdles now are copying a file with whatever permissions in Nautilus to server (Test 3 - still 777 instead of 664). And the directory issues. Both server and client are Ubuntu (9.10 vs 10.10 though), and no additional ACLs are enabled.
– user60129Feb 6 '11 at 3:21

Note that default ACLs do not enforce a maximum set of permissions, they just make those permissions the default. cp -p, scp -p, and copying via Nautilus will still try to make the copy's permissions the same as the file being copied.
– MikelFeb 6 '11 at 21:35